Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

How to prevent secrets from being exported as an artifact?

Edited

We've found an issue with Bitbucket cloud, where any user with write permissions has the ability to export the runtime secrets, including workspace / repository / deployment secrets, to an artifact. Like so:

1. A user with write access creates a new branch from the main branch.

2. That user then modifies the bitbucket-pipelines.yml file, and adds a step similar to this:

...
steps:
- printenv | tee output.txt
...

artifacts:
paths:
output.txt

3. Then that user can push the changes, and within that branch execute the step, and download the artifact, revealing all of the secrets.

How do you prevent this kind of leakage?

1 answer

0 votes
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Mar 01, 2023

Hi Tim,

We mention this in our documentation here:

Workspace variables can be accessed by all users with write permission for any repository (private or public) that belongs to the team or account.

 

Pipelines variables added at the repository level can be used by any user who has write access in the repository.

 

There is no way to prevent this for workspace and repository variables. However, it is possible to restrict access to deployment variables to admins only:

  • Open the page of a repo on Bitbucket Cloud website and go to Repository settings > Deployments
  • For every deployment environment, there is an option Only allow admins to deploy to this environment.

If your workspace is on the Premium plan, you can enable this option for certain or all deployment environments. If someone who is not an admin triggers a pipeline to an environment that has this feature enabled, the build will get paused.

An admin of the repo can resume a paused build or do nothing. Selecting the cog icon from the following screenshot in the paused build, will show you the yml file for the commit/branch that triggered the pipeline:

Screenshot 2023-03-01 at 11.30.23.png 

Kind regards,
Theodora

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events